Cybersecurity in The Medical Industry: Episode 2 – “Navigating Safety and Security Risk Management in Medical Devices”

The second episode of our podcast series “Cybersecurity in the medical industry” takes a deeper look at essential safety and cybersecurity considerations throughout the life cycle of a medical device.

We discuss how medical device manufacturers can integrate cybersecurity activities during product development and throughout the entire product life cycle. We also delve into the importance of cybersecurity testing in post-market management. Finally, we take a look at threat modeling and risk assessment. Join us as we continue to explore how to keep users and their devices safe.

Listen to the podcast

About the speakers

This podcast features:

• Thomas Schuster, Security Evaluator, SGS Brightsight
• Vasily Kalakutskiy, Business Development Manager Medical Product Certification, SGS
• Stefan Fehn, Safety Expert Active Medical Devices, SGS
• Willy Fabritius, Global Head of Strategy & Business Development Information Security, SGS

Podcast highlights

What are the main topics covered by cybersecurity regulations for medical devices?

Cybersecurity regulations specific to medical devices, such as MDCG in Europe and pre-and post-market guidance in the USA, cover:

• Pre-market management: the security risk management process and the secure product life cycle
• Post-market management: coordinated vulnerability disclosure, vulnerability remediation, incident response and legacy

Pre-market management aims to establish processes for designing, developing and maintaining the medical device, following the secure-by-design principle. It includes security risk management, which includes threat modeling and risk assessment, and then implementation and testing of the required security features.

Post-market management considers all processes that should be in place after the product has been released on the market. It is assumed that no device is completely secure, and that future technologies could be used to identify new vulnerabilities to exploit. The manufacturer must be prepared to address any identified vulnerability and react promptly to any attack.

The manufacturer should also plan for the product’s end of life. This is especially important for medical devices with long life spans and critical essential performance.

At which points in the total product life cycle (TPLC) should cybersecurity activities be performed?

Cybersecurity should be addressed at all stages of the TPLC.

It is essential during the planning stage in order to comply with regulations and to minimize the cost of dealing with vulnerabilities later on. During this stage, all cybersecurity processes and activities, such as the security risk management plan, security policy and vulnerability handling plan, must be defined.

The secure-by-design principle should be implemented during the design stage. During this stage, threat modeling and risk assessment (TARA) should be performed, based on the provided safety and security polices and requirements. The TARA should then be used to design countermeasures to mitigate the identified threats.

During the implementation and testing stage, developers and testers must follow defined security requirements and plans while ensuring that the final product meets the aims of the original design.

How do I start? What kind of support does SGS offer manufacturers?

We offer training courses for medical devices manufacturers, where you can learn more about best practices for integrating cybersecurity requirements throughout the TPLC. In addition, we offer public training courses on ISO/IEC 27001 and ISO/IEC 42001.

We also help with TARA reviews and, if needed, we can help you to write the first draft of your TARA.

Moreover, we provide support with security architecture design as well as the testing of single components of a medical device before the final prototype is available. This will help you to identify weaknesses early in the product life cycle, saving you time and money.

We are also developing a service for periodic surveillance of vulnerabilities that could be linked to the Software Bill of Materials (SBOM). 

About the Changing Conversations podcast

Join us for the Changing Conversations podcast, where we take a deep dive into the complex issues facing the modern world and shine a light on the innovations that can make a difference. Each episode offers a fresh perspective on a unique topic – from the transition to a more sustainable world to AI technology.